Social engineering attacks and HIPAA compliance

The Health Insurance Portability and Accountability Act (HIPAA) is long and messy enough to give nearly anyone a headache. You probably know the law limits the sharing of patient information, but it also offers a wide range of exceptions. And criminals may try to exploit them.

According to the Journal of Medicine, medical providers don’t give enough thought to the threat of social engineering. Altogether, this threat includes all the different techniques cybercriminals may use to trick people into sharing confidential information. But these techniques stand apart from standard cyberattacks because they exploit people, not systems.

Common social engineering techniques

One of the reasons even highly educated people can fall prey to social engineering attacks is because the end goals aren’t always clear. Often, the attacks progress in stages. The criminals will move from target to target, gaining access to the system one level at a time. Recognizing some of their tricks may help you prevent yourself from becoming a victim—and violating HIPAA.

Phishing: Criminals may use emails or websites to trick people into sharing sensitive information. These emails and websites often look like they’re from trusted agencies like banks or relief organizations.

Baiting: Criminals may leave flash drives or other devices lying about. When someone uses the device, it infects their computer with malware, transforming the computer into a new access point for the hacker.

Social media research: People don’t always pay enough attention to the backgrounds of their selfies. Criminals know that the social media accounts of employees and interns may literally offer an insider’s view of a company.

Physical visits:PCWorld explored several different ways criminals might gain access to the inside of a hospital or other physical location. They read like something out of a spy novel, but think about how many people wander the halls of a hospital or health clinic…

Who might these criminals pretend to be to gain access to your systems or patient information? That’s where a review of HIPAA’s exceptions may come in handy. HIPAA allows the potential transfer of protected information to many different people and agencies, including:

Doctors, nurses, hospitals and clinics who need the information to provide treatment

The professionals in charge of billing insurance

Law enforcement officials

FDA regulators and other public health authorities who need the information to combat diseases

Workers’ compensation representatives

In some cases, the patient’s family members

Again, it’s important to remember that criminals passing themselves off as any of these people might not even ask directly for confidential information. Someone may pose as an IT professional to get your password, or they may pose as your patient’s family members to discuss billing—and gain billing information. Their immediate goals may be simply to move one step deeper.

Greet your day with a healthy dose of skepticism

You can find yourself in serious trouble if you violate HIPAA’s Privacy Policy, even accidentally. It’s important to protect yourself, even if that costs you the extra time you spend each day verifying that people are who they claim to be.